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.Alexandria, VA 22313-1450 
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PATENT 



JN THE UNITED STATES PATENT AND TRADEMARK OFFICE 



In re application of 

E. A. Corl et al 
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Filed: 16 January 2001 
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Date: November 23, 2005 

Group Art Unit: 2161 

Examiner: M.R. Filipczyk 
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The Commissioner of Patents 
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Alexandria, VA 22313-1450 
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This declaration Is to establish completion of the invention in this application 
in the United States, at a date prior to October 23, 2000, the effective date of the 
Lu et al U.S. Patent 6,778,984 cited by the Examiner. This declaration is presented 
in response to the first Official Action in which the Lu et al patent has been cited. 

The persons making this declaration are the inventors. 

The attached Invention Disclosure document is submitted as evidence to 
establish the date of completion of the invention of this application. The dates 
appearing on the original document have been redacted. However, the declarant 
states that the redacted dates are well prior to October 30, 2000. 

The declarants further state that conception of the invention wasfoHowed by 
due diligence from the time of conception to a time just prior to the effective date of 
the reference, up to the actual reduction to practice of the invention and the filing 
of this application. 

I hereby declare that all statements made herein of my own knowledge are 
true and that all statements made on information and belief are believed to be true; 
and further that these statements were made with the knowledge that wiljfui false 
statements and the like so made are punishable by fine or imprisonment, or both, 
under Section 1 001 of Title 1 8 of the United States Code and that such willful false 
statements may jeopardize the validity of the application or any patent issued 
thereon. 

Inventor: Everett Arthur Con, Jr. 
Signature: 

Date: b«c a. N "^^or 
RAL920O00OO9DUS1 2 
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Inventor: Gordon Taylor Davis 
Signature 




Inventor: Victoria Sue Thio 

Signature: 'UotsG^Z^ Jh^_ yL^> 
Date whs^oos 

Inventor: Colin Beaton VerrillL* 

Signature: 

Date: 

Inventor: Avraham Zehavi 
Signature: 

Date: 
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Inventor Gordon Taylor Davis 
Signature: 

Date: 

Inventor: Victoria Sue Thio 
Signature: 

Date- 

Inventor Corin Beaton Verrilli 
Signature: 

Date: 

Inventor Avraham Zehavi 

Signature: ^^yxXU(^ 

Dat&: nifl^^ 
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Disclosure RAL8-2000-0094 

Created By: Clark D Jeffries Created On : 2000 10:52:35 AM 
Last Modified By; Karen Orzechowski Last Modified On: 2000 12:29:27 PM 



Summary 



' IBM Confidential *~ 
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Processing 
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Attorney/Patent 
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IDT Team 
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MO-OHB RAINIER & Network Hardware and Software, Modems, Internet, LANs, WANs.„700 



Josh G Cockbum/Ralefgh/IBM 



Owning Division 



PVT Score 



Incentive Program 



Lab 



Technology Code 



Josh G CocH>i*rVRaleigh/l8M; Kenneth Barker^Raleigh/lBM; Todd Rasmus^talelgMBIW; Norm 
Strole /Rateigh/IBM; Joel Geyer/RaleigMBM; Joe LogarVRafeioMBM 

2000 10:53:16 AM ~~ " " 



MO 
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Inventors with Lotus Notes IDs 

Inventors: ArtCori JrTRaieig^^ ^ 
VerrilJi/RaPefgMBM. Abraham Zenavi/Haffa/l8fcr@BMIL 



Inventor Name 

> denotes primary contact 



Inventor 

Serial Piv/Dept 



Manager 
Serial 



Manager Name 




Inventors without Lotus Notes IDs 

FDT Selection 
Main Idea 

Automatic partitioning of filter rules 

isS^ScT 6 " S,ati " 9 ^ Pr ° blem SO,Ved (if a PP^Priate);and1?»di«ft tT^ant^Srf 
^minislrat^ can create filter rules for network security. In general, information In the headers of an IP 
SfZL* U r . a / key f DCed "ens 81 binar y sti "9). The key is tested by a filter rule and if the rule 

,t c^l ^ (SUCh 33 Permit W passa9e of fe aPPfied- The rule applies to 
various fixed length components of the key such as IP Source Address. IP Destination Address and so 
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RALS-2000-0094 Automate partiBo..;.^ of filler rules - continued 

ZJn ^ mi9h f ° r "I 9 .? haVe 3 reStriCted Sel of values in «** component (as opposed to all 
possible binary values of the given length). If the rule has a restricted nfT a i, \ n . , 

a rule rf and only rf all components of the key lie in the respective component ranges of the rX' 
SSST 3 ke) : fitS . two or more m,es ™* in the administrator musTdlcTare amonq 

mtes that guarantee mconastent actions will not be the outcome of the several fits. TheTesUrJofXv 
realise to a set of filter rules and the application of the stored action or actions assodate? SfSi St 
the key ffts is called enforcement of the set of filter rules. mies 0X31 

Two rules intersect if at least one key ffts both. 

tfthe range ofvalues in a component of a rule is exactly one value, then that component of the rule is 
caned an exact component, rf all the components of a rule are exact, then the rule is called ar? St rule. 

If the range of values in a component of a rule is all possible binary values of the component lenoth then 

herein range rules.- In general, sets of range rules Include some rules that intersect Also sets of ranee 

One method of testing keys relative to such sets of intersecting rules is the Software ManaoJ IT**! /«urn 
method as disclosed in docket RAL-1 999^1 ^disc losure FALB -SS^ ^ ( } 

^ISSw)027) 9ement ° f Sta<iC ^ dynami ° fflter ^ fe taw * t h docket RAL9^H)031 (disclosure 

Hear, also happen that some rules have ranges on only one component of a key. for example, there might 
*L a ^ and ,n whl <* every component is exact except for the Destinatton Port number ki^T 
rule, which >s m every one of the thousand rules a wildcard component Let us can a set of sue" rSeTirith 
given common wjWcard component "almost-exact rules." In a set of almost-exact rules/no b£ ofa£ 
such rules Rttersect -6ne method of testing keys relative to such sets of nonintersecting ruleTte £57 

^ , T POnen ^fL b0lh ^ ru,es ' P**"** 3 tesh ■» the geometric hash desoSed indocket 
P^gff**!. <***•»» RALa-1998^087). Then the key can be processed by the Full Mateh Tree «££ 
method as disclosed in docket RAL9-1 993-01 39-US1. ireeir-Ml) 

It can be proven that no two nonidentical almost-exact rules with the same wildcard component intersect. 

S^d 0 ^ rUl6S are m,Xed wi * other ruies - combined set can be difficult to enforce at 

K^SSSS^ " ^ an advanta9e ' (a descriptk)0 of nvenUon '- 

The present invention includes the concept of administrative use of a partitioning mechanism of rules into 
1. A set of n = one or more special components such as Destination Port. 
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2. For each special component, a maximal set of almost-exact rules labeled AE1 AE2 AEn that am 
fixed in art components except that have a wildcard component in the special component ' 

o consls * ,n 8 of a[l "** ™ at ar * not include in the disjoint sets of 
rules AE1, AE2, AEn defined by 1 and 2. 

la this embodiment, no almost-exact rule intersects with any other rule. 

°if ^ St f* a t P artil |f n - the P fesent invention also includes a total of n separate FMTs corresponding to the 
sets of almost-exact rules AE1 , AE2, AEn. t~"u>«groine 

The present invention also includes one SMT for the rufes in the complementary set C. 

No rule in a set AEi interesects any other rule in any AEj. No rule in any AEi intersects any rule In C 
Thwefore the above FMT and SMT tests can be carried out in parallel without consideration of priority of 

Following is psuedo-code for generating AE1 AEn and C from a general set of filter rules with n 

components. 

Start 

L L fi F ^J* 16 ofa " mef wkiS 10 4x5 Partitioned. Each filter rule has n components with bit lengths 
tSi, fcS2, .... Bn. 

2. For each i = 1, 2 r n let Si be initially an empty set. 

^J^ 6 ^.^ 8 h F for the propert > that in component I the range of values in the rule is the interval TO 
2*1*1 - 1J. Include in set Si rf pass. ' 

4. Test ea<* rule that passes 3 for the property that In all components except f the rule is exact Delete 
from set Si rf fail. 

5. Test each rule in set Si for intersection with any rule not in set Si. Delete from Si if at there is at least 
one such intersection. [Alternatively, compute the priority number of rules in set Si and delete any from Si 
that are not of priority number 1.] y 

5. For each i, determine the number Ni of rules in set Si. 

6. If Ni >= a threshold (determined in part by the number of rufes in F). then declare Si a "partition set' 

7. The complement seIC is the set of rules in F and not in any SL 

8. Tesl rules in each Si with the appropriate hash function and FM Tree 

9. Test rules in C with SMT. 



In an alternative embodiment, all rules in F have permit or deny as action. Use is made of the priority 
number mechanism in docket 09/312,148 (disclosure RA8980124). If all almost^exact filter rules have 
priority number 1 and if all FM searches have priority over the SMT search, then the correct filter rule 
action will be enforced. 



3 Jf the same advantage or problem has been identified by others Cioside/outside IBM), how have those 

others solved it and does your solution differ and why is it better? 

We are not aware of others using rule partitions to simplify filter rule tests. 

4Jf the Invention is implemented in a product or prototype, include technical details, purpose, disclosure 
details to others and the date of that implementation. 
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RAL8-2000-0094 Automatic partition, tg of filter rules - ccntfnued 



The invention is planned to be implemented in Classifier Rules and Statistics (CRS), a software GUf and 
XML interface for entenng and testing filter rules in using the iBM Power Network Processor (Rainier) 
CRS .s intended to be packaged as a demonstrate* tool Both it and Power Network Processor 
Reference Code Kit are targetted for availability by year end 2000. CRS has not been announced. 

•Critical Questions ( Questions 1 - 7 must be answered) 

Patent Value Tool {Optional - this may be used by the inventor and attorney to assist with the aval 

Evaluation 
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Post Disclosure Text & Drawings 
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